Jump to content


Storing A Hashed Password In Cookie

  • Please log in to reply
3 replies to this topic

#1 Aljade

  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 28 June 2006 - 07:32 PM

I am making a user login system and I thought a way to make a session/cookie more secure I could store the users password encoded with sha1 and verify it.

So for example when the user logged in I would make 2 sessions like so:
$_SESSION['user_id'] = $user_id;
$_SESSION['secure_hash'] = $user_sha1_password;

Also if the user selected to automatically login I created 2 cookies:
setcookie("autologin_userid", $user_id, time() + 31536000, "/Example", "example.com", 0);
setcookie("autologin_secure", $user_sha1_password, time() + 31536000, "/Example", "example.com", 0);

Then I would check the stored hashed password from cookies/sessions with the one that was stored in the database.

Now is this actually making my system more secure than if I just stored the user's id in the session/cookie or is it making it less secure?

Thank you!

#2 .josh

  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 28 June 2006 - 07:36 PM

i personally do something like this: take the user name and password and join them together in my own super secret alogorythm way. then encrypt that with md5 or sha1 and store that string as a cookie.
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)

#3 mac.php

  • New Members
  • Pip
  • Newbie
  • 7 posts

Posted 28 June 2006 - 07:41 PM

Yeah that makes your system more secure in my humble opinion.

#4 Crusader

  • Members
  • PipPipPip
  • Advanced Member
  • 74 posts
  • LocationCanada

Posted 28 June 2006 - 08:33 PM

I wouldn't suggest storing any passwords in a cookie. Why not just setup a session hash id that updated every page load?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users